The FBI says any mobile apps made in Russia are considered a “potential counterintelligence threat.” Cybersecurity experts say the situation is complicated.
On Monday, New York Sen. Chuck Schumer released a response he received from the federal agency last month referencing the suspected dangers of Russia-based FaceApp, which went viral earlier this year. The app lets users upload their selfie photos and apply an aging filter.
Since it surfaced back in 2017, many have questioned how data and photos sent to FaceApp are stored by the company. Now we know the FBI’s stance.
It’s not clear what other Russian mobile applications the FBI considers to be potential threats, as none are mentioned by name in its statement to the senator, but the letter certainly indicates that the default position is one of suspicion.
The FBI noted Russia’s intelligence services have “robust cyber exploitation capabilities” that can be used to obtain data directly from internet service providers (ISP). The inference is clear: that U.S. user data sent to the firm’s St. Petersburg operation could easily be scooped up.
In July, TechCrunch reported the company’s research and development team is in Russia, but FaceApp bosses stress a lot of the data is actually stored by Google and Amazon.
The FBI declined to comment.
Broadly, cybersecurity experts agreed that data in Russia would be at risk to exploitation by the same state which spearheaded the operation to meddle in the 2016 presidential election. But they stressed the reality is complex, and were reluctant to paint every Russian app as being nefarious.
“It feels like a stretch to me to say any app developed in Russia is a counterintelligence threat,” Robert Pritchard, a former cybersecurity advisor to the U.K. government, told Newsweek. “Sure there may be privacy risks, and you certainly wouldn’t want U.S. government employees using it, but beyond that I’m not really sure how it qualifies.
“I don’t think the FBI would be political, but I suspect it’s something of a broad brush response,” Pritchard continued. “Russian laws mean they can have access to anything, ‘we don’t trust the agencies, ergo security threat.’ I’m not disputing the FBI’s distrust of the application. I wouldn’t use it, but I don’t really see how that reaches the threshold of counterintelligence threat.”
In its letter to Sen. Schumer, the FBI cited concerns about FaceApp‘s access to device cookies, log files, and metadata. Previously, in July, speculation suggested the app could be used to train facial recognition software—a claim denied by the company, the BBC reported.
The FBI noted in its letter to the senator, first reported by Axios, that FaceApp claims to upload its users’ selfie photos to servers in the U.S., Singapore, Ireland and Australia.
“I’m not sure if the FBI [is most concerned about] Russia-made apps or Russian servers holding data. There’s a difference,” Lukas Stefanko, a malware researcher at ESET, told Newsweek.
“If the Russian government can snoop on any server in Russia, that might be concerning, but it is not fair to say that all Russian-made apps are a security risk, especially without any proof.”
According to analytics company SensorTower, some of the most popular mobile apps by Russian publishers in Q1 2019 included Homescapes (Playrix), Vegas Crime Simulator (Naksiks, OOO), and social media platform VK (VKontakte). Each application boasts millions of downloads.
SensorTower data, updated as recently as last month, suggests FaceApp has now amassed up to 3 million downloads on Google Android devices and 400,000 more via Apple iOS.
FaceApp previously said user data is not transferred to Russia.
He said: “For Amazon Web Services we specify the U.S. as the data storage location, for Google Cloud Platform, we specify data storage at a location closest to you when you use the app.
“The app only uploads to the cloud the photographs that users specifically selected for editing. Photos are temporarily cached on the cloud servers during the editing process and encrypted using a key stored locally on the user’s device,” Goncharov continued.
“Photographs remain in the cloud for a limited period of 24-48 hours after users have last edited the photograph, and are then deleted along with editing data associated with the photograph.”
Armando Orozco, a senior malware intelligence analyst at cybersecurity and anti-virus company Malwarebytes, said the FBI’s blanket anti-Russian app policy had overtones of “political posturing.”
“After the chaos in the 2016 presidential election… the message seems to be everything Russian should be off limits because they cannot be trusted in 2020,” Orozco told Newsweek.
“With Putin signing legislation requiring all smartphones and computers to come pre-installed with Russian apps, they might be trying to get ahead of the storm. There could potentially be more Russian-made apps and devices entering the market. There is no evidence that FaceApp is a Russian spy app, but it became popular very fast, even among celebrities and politicians.
“Which also could explain the ‘be careful’ messaging. Reading through some of the app reviews, right now I think this app is after people’s wallets rather than their selfies. The message should be: be careful of all the apps you use, whether it be made in the U.S., Russia, anywhere,” Orozco said.